Malicious Package

Affecting node-spdy package, ALL versions

Do your applications use this vulnerable package? Test your applications

Overview

node-spdy is not currently in use, but was formerly occupied by another package.

Affected versions of this package contain malicious code that uploads system information such as OS and hostname to a remote server.

Remediation

There is no fixed version for node-spdy.

References

CVSS Score

9.8
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Credit
Tran Viet Quang
CWE
CWE-506
Snyk ID
SNYK-JS-NODESPDY-460524
Disclosed
30 Aug, 2019
Published
01 Sep, 2019